Title: Auditing permissions · Issue #59935 · nodejs/node · GitHub
Open Graph Title: Auditing permissions · Issue #59935 · nodejs/node
X Title: Auditing permissions · Issue #59935 · nodejs/node
Description: What is the problem this feature will solve? Setting permissions can help protect your resources, but adding these requirements to an existing project can take trial and error as you figure out which permissions you need to grant. Auditi...
Open Graph Description: What is the problem this feature will solve? Setting permissions can help protect your resources, but adding these requirements to an existing project can take trial and error as you figure out whi...
X Description: What is the problem this feature will solve? Setting permissions can help protect your resources, but adding these requirements to an existing project can take trial and error as you figure out whi...
Opengraph URL: https://github.com/nodejs/node/issues/59935
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Auditing permissions","articleBody":"### What is the problem this feature will solve?\n\nSetting permissions can help protect your resources, but adding these requirements to an existing project can take trial and error as you figure out which permissions you need to grant. **Auditing** can make this easier.\n\nWhen a rule is audited, it means it isn't enforced but it _is_ monitored. This allows you to test it without breaking code.\n\nAfter a user has done an audit, they could see what resources were and weren't accessed and set **enforced** permissions accordingly.\n\n### What is the feature you are proposing to solve the problem?\n\nAn \"audit mode\" could be added to the permissions API to allow permission violations to be logged but not prevented. It could be part of the command-line flag:\n```sh\n--permission=audit --allow-fs-read=.\n```\nWith this configuration, read operations outside the CWD would be logged.\n\n### What alternatives have you considered?\n\nOne problem with an audit mode is that you cannot **both enforce and audit** different sets of permissions at the same time. An alternative would be to use separate flags for auditing, kind of like how the `Content-Security-Policy-Report-Only` HTTP header works.\n\nSay you are currently restricting access to outside write operations but want to test stricter rules. You could do something like this:\n```sh\n--permission --allow-fs-read=* --allow-fs-write=. --audit-permission --audit-allow-fs-read=. --audit-allow-fs-write=dist\n```","author":{"url":"https://github.com/DNin01","@type":"Person","name":"DNin01"},"datePublished":"2025-09-19T19:02:43.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/59935/node/issues/59935"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:3bd5a49d-e7c8-17fb-8b30-8d0f19383c3d |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C638:3ECFD9:55E843:727A75:6A4C7B52 |
| html-safe-nonce | 3be616f6411ac9876894c6d8dd61ed23a61453f7855ebcec3b61a6ad0465c9ec |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDNjM4OjNFQ0ZEOTo1NUU4NDM6NzI3QTc1OjZBNEM3QjUyIiwidmlzaXRvcl9pZCI6IjQ0NjkwNzg4ODUzNDY4NjgwNTAiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | b736633c94d309c8d56f8dda525bddd2f3b7841f50c64d8d3bccc3bf27c678bd |
| hovercard-subject-tag | issue:3435567319 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/59935/issue_layout |
| twitter:image | https://opengraph.githubassets.com/38d473d1f7b9ce59a425c50bbdb1205a1f2444ecfa5bf9ff100095f2014c9a1b/nodejs/node/issues/59935 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/38d473d1f7b9ce59a425c50bbdb1205a1f2444ecfa5bf9ff100095f2014c9a1b/nodejs/node/issues/59935 |
| og:image:alt | What is the problem this feature will solve? Setting permissions can help protect your resources, but adding these requirements to an existing project can take trial and error as you figure out whi... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | DNin01 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 56ac743bebb13694b888673bb7257f4b97a4b7fd |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width